Category Archives: Identity verification

You might recall I blogged about a bill being introduced to the GA legislature over a year ago to allow direct wine shipments into the State.

Earlier this week, Governor Sunny Perdue signed House Bill 1061 which allows wineries to ship wine directly to Georgians provided they have a “special order” shipping license from the State ($50 per year).With this license, wineries will be allowed to ship up to 12 standard cases of wine brand labels submitted to the State to an individual consumer over the course of a year.

In addition, the holder of a special order shipping license must require proper age verification for the consumer placing the order. Age may be verified by physical examination of government issued ID or by using an Internet based age and identification service.

As an identity and age verification provider IDology continually monitors the market to stay up to date on the issues surrounding online identity and age verification. Today I thought I would share with you what we have recently compiled for age verification. This (very long) post presents age verification by industry and country and gives some background on what is going on in the market. I hope you will find this useful.

Examining Age Verification in Other Countries:

United Kingdom & Europe

Mobile Operators

In January 2004, the UK mobile market set a precedent for self regulation of new forms of content on mobile phones by developing a Code of Practice. The Code of Practice was developed by mobile operators Orange, O2, T-Mobile, Virgin Mobile, Vodafone and 3. The Code specifically covers new types of content, including visual content, online gambling, mobile gaming, chat rooms and Internet access but not peer to peer communications, although assurances were made to combat illegal, bulk and nuisance communications.

The Code of Practice addresses 8 categories. It called for an independent classification body to provide a framework for classifying content commercial content that is unsuitable for customers under the age of 18. The classification will be equivalent to material in magazines, films, video and computer games. Content classified as 18 will only be available behind access controls and is made available to only those consumers who have been age verified.

The specific definition of the Code’s term for age verification is:

a process by which reasonable and practical steps are taken to verify that a customer is 18 or over. Acceptable methods of age verification include:

The Code also addresses that mobile operators have no control over Internet content and therefore can not insist that it be classified following the framework described above. Because of this, the Code addresses offering parents and caregivers the opportunity to apply a filter. In addition, the mobile operators agreed to provide advice to customers, including children, parents and other caregivers through relevant media literacy activities and will post information on the Code on their web sites.

Age Restricted Ecommerce

Last year in the UK, a bill was introduced to Parliament to require age verification for the online purchase of age-restricted goods and services such as alcohol, cigarettes, pornography or gambling. Currently retailers in the UK handle age verification by relying on the honesty policy. Since early 2000 numerous articles and studies have been published about the ease of underage consumers to access gambling sites and as such the gambling industry has been the most proactive in establishing age verification techniques to prevent underage access.

Last fall the UK Government commissioned Dr. Tanya Byron to look at the risks to children from exposure to potentially harmful or inappropriate material on the internet and in video games. The Byron Review was released in March 2008 and includes recommendations for the UK government to undertake that will help parents feel confident that their children are using new technologies in a way that is appropriate for their age and development. The ultimate conclusion calls for reforms in the structure of how government, industry and others engage in e-safety and specifically recommends that a UK Council on Child Internet Safety be established that reports to the Prime Minister. Recommendations for the function of this Council are:

• That this Council should lead the development of a strategy with two core elements: better regulation – in the form, wherever possible, of voluntary codes of practice that industry can sign up to – and better information and education, where the role of government, law enforcement, schools and children’s services will be key.
• That the Home Office and Department for Children, Schools & Families (DCSF) should chair the Council, with the roles of other Government departments, especially Department for Culture Media & Sport (DCMS), properly reflected in working arrangements.
• That the Council should have a properly resourced cross-government secretariat to secure a joined-up Government approach to children and young peoples’ safety online.
• That the Council should appoint an advisory group, with expertise in technology and child development, should listen to the voices of children, young people and parents and should have a sustained and rolling research programme to inform delivery.
• The Council investigates where the law around harmful and inappropriate material could be usefully clarified (including suicide websites) and explores appropriate enforcement responses.

Several items are reviewed and discussed in this report including filtering software, search limitations, restricting access, and also age verification which Byron recommends to:

• Keep research and practice on age verification under continuous review, and disseminates good practice, such as placing a “cookie” onto a user’s computer where they have registered with under age details to prevent them from reregistering with false age details.

interactiveAge Check

In 2003, OUT-LAW News, which tracks the latest legal stories in IT and e-commerce, reported on an on-line program called “interactiveAgeCheck (iAC) designed to prevent fraud and protect children. iAC is offered by CitizenCard, a non-profit organization and UK’s largest photo-ID scheme, and allows accredited web sites within the program to check the details of users before allowing them access to the site. If the user is not recognized then access will be denied. Each application is verified stringently using several measures to counter fraudulent application. The program is supported by government, the police and retail groups and was developed in conjunction with a credit data provider.

Valimo’s wireless signature services are accepted by financial banks as a secure authentication method. Within the press release Valimo states:

”Mobile signatures also provide age verification and anonymous access control. Proof that these partial authentication processes are in demand is the German government’s announcement that their electronic ID cards will feature a function to use pseudonyms to authenticate oneself to an online service without revealing one’s full identity.”

The press release further explains how this process works:

“When using Valimo’s mobile signature solution: Consumers receive authentication requests to the mobile phone. Valimo uses public key cryptography and an authorization process that allows only a bona-fide service provider to reach the user’s mobile phone. Consumers do not need to manually copy text out of the received short message. They confirm the login or transaction by returning a digitally signed message via SMS. For each authentication event, there is an electronic record (i.e. digital signature) that can be verified by a third-party process.”

Content Classification within the European Union

As recently as April 22 of this year, Reuters published an article about the European Union Executive Body’s decision to give videogame makers and shops two years to come up with a code of conduct that has wider industry backing than the current one. The industry is also being asked to spend more on advertising its symbols denoting the age suitability of games. The industry’s age classification system — Pan European Games Information (PEGI) — is sponsored by more than 200 industry members and used in 20 of the 27 EU states. There is also an online version but with far fewer industry backers.

The rules specifically address age verification and the quality control measures the providers of the content must follow to ensure that the applicant is the person they claim to be and meets the age requirements of the content access being requested. The rules do make provisions that consumer verification will be different for each content rating group. For MA15+ provisioning requires:

• a warning about the nature of MA 15+ content; and
• safety information about how a parent or guardian may control access to
MA 15+ content by persons under 15 years of age.

Before provisioning access to R18+, the system must satisfy a risk analysis which means considering:

• the risk of whether the proof of age evidence could be held or used by another person, or someone younger than the age which the form of evidence attributes to the person being identified; and
• the kind of evidence provided and the manner in which it is provided.

The Explanatory Statement delves into the intent of the RAS Declaration and addresses why the RAS Declaration does not prescribe a specific method for verifying age to access R18+ content, which is both to recognize the breadth of current methods of age verification used across various content platforms, and to ensure that there is flexibility now and in the future to allow designated content/hosting providers to develop systems that best suit their business models.

ACMA is aware of a number of different methods of age verification currently operating that range from submission of proof of age in person and actual sight of the applicant and the proof of age (which may be a driver’s license, passport etc) to reliance on credit card verification. Access-control systems are required to keep a record for 2 years on how the age of the applicant is verified while also following Australia’s National Privacy Principles contained in the Privacy Act 1988.

Users will have to enter their name and national resident registration number, which will be checked against a database to verify the user — or at least the person whose data has been entered — is old enough.

The system will be combined with a localized version of the SafeSearch system that is already used on Google’s main English-language search engine to ascertain the context of the search so that queries for, for example, “rape” are challenged but those for “rape shelter” are not.

Examining Age Verification in USA Industries

CTIA – the International Association for Wireless Telecommunications Industry

Wireless carriers in conjunction with CTIA have voluntarily adopted the Wireless Carrier Content Classification and Internet Access Control Guidelines in an effort to provide consumers with the information and tools they need to make informed choices when accessing content using a wireless handset. According to the CTIA website, these guidelines are as follows:

• Carrier Content Classification Standards – a significant component of the Wireless Carrier Content Guidelines is the voluntary content classification standards for carrier content—those materials that are offered specifically on the carrier’s managed content portal, also known as the carrier’s “deck”, or any third-party content whose charges are included on a carrier’s bill. Carrier Content is divided into two classifications: “Generally Accessible Carrier Content” and “Restricted Carrier Content.” Generally Accessible Carrier Content is available to consumers of all ages. Restricted Carrier Content is accessible only to consumers age 18 years and older or to a consumer less than 18 years of age when specifically authorized by a parent or guardian.
• Providing Parental Controls on “Restricted Carrier Content” – The wireless industry has pledged not to offer any “Restricted Carrier Content” until it has provided controls to allow parents to restrict access to this type of content, based on the content classification standard. Each carrier is responsible for its implementation of access controls, including age-verification mechanisms. Additionally, the industry will undertake an education campaign to inform and educate consumers on how they can prevent unauthorized access to age-restricted carrier-controlled content.
• Content Rating Standards – Wireless carriers are working to define content rating standards to more fully inform consumers about the characteristics of carrier content and its suitability for particular audiences. The content rating standards will leverage existing rating systems familiar to consumers such as movie, television, music, and gaming rating systems.
• Internet Access Controls – As with carrier content, the industry is developing “Internet Access Control” technologies that will enable wireless account holders to limit access to specific websites. Currently, all major carriers provide consumers with the ability to completely block Internet access on their devices. Although carriers have no control over content generally available on the Internet, providing filters and tools is an important step intended to give consumers, particularly parents, the ability to limit the Internet content that can be accessed through their family’s wireless devices. Wireless companies are aggressively researching technological solutions and are implementing them on a carrier-by-carrier basis.

Wine Industry

In 2005, the Supreme Court opened up the direct shipment of wine on a state by state basis. As part of this wineries and direct shippers must verify proof of age at the time of purchase. Industry organizations such as WineAmerica and The Wine Institute continue to educate members about the compliance tools available including how to verify age when consumers are not present. Both organizations have partnered with providers to offer these services to their members.

In 2006, the State of Michigan passed a bill that allowed direct wine shipments into the State provided that the Direct Wine Shipping Requirements of the Michigan Liquor Control Commission are followed. The requirements specifically state:

“You must verify that the person placing the order is at least 21 years of age through obtaining a copy of photo identification issued by the State of Michigan, another state or the federal government or by utilizing an identification verification service.”

As part of this, the Michigan Liquor Control Commission conducted a review of identity and age verification services. To provide these services within Michigan a provider must be an approved vendor. This is the first legal governing body to test and approve electronic age verification solutions.

Tobacco Industry

The Master Settlement Agreement was signed in November 1998 which strictly prohibits the marketing of tobacco products and promotional merchandise to anyone under 18. As part of this, tobacco companies must age verify consumers before they are allowed to enter a tobacco website or receive any direct marketing materials.

Entertainment Industry

The motion picture, music recording and electronic game industries have adopted a self-regulatory program to address violence, sexual content, language, drug use and other explicit content that may be of concern to parents.

Following the Columbine tragedy in 1999, President Clinton asked the Federal Trade Commission and the Department of Justice to conduct a study of whether the movie, music recording, and computer and video game industries market and advertise products with violent content to youngsters. The results of the study were published in September 2000 and concluded that these industries routinely target children under 17 as the audience for material they themselves acknowledge are inappropriate for children and warrant parental caution which undermines their own programs and limits the effectiveness of the parental review programs. Furthermore, retailers were making little effort to restrict access to children of products with violent content. Within the report certain calls to strengthen self regulation were made:

• Establish or expand codes that prohibit target marketing and impose sanctions for violations
• Improve self-regulatory system compliance at the retail level including avoiding sales of R-rated,M-rated/advisory-labeled products on Internet sites unless they use a reliable system of age verification.
• Increase parental awareness of the ratings and labels.

…with few exceptions, general compliance with existing voluntary standards but insufficient attention to the development and application of these standards to evolving market trends…

The practice of marketing R-rated and M-rated movies and explicit content labeled movies to media with teen audiences is particularly evident in the industries marketing on the Internet. Although the video game industry has adopted limits on Internet advertising, the relevant standard – ads cannot appear on a site where more than 45% of visitors are under 17 – is so permissive that advertisements for M-rated games can reach large numbers of young teens and children. Moreover the Commission’s review found many examples of noncompliance with even that limited restriction. The movie and music industries have adopted no standards restricting Internet advertising or R-rated movies and explicit-content labeled music.

An article published last year in USAToday discusses the issue of red band trailers. While some movie studios, like Sony, Universal and Paramount have implemented age verification to watch online “red-band” trailers, or movies that USA Today refers to as “heavy on raunch or violence” many of these same trailers be seen elsewhere on the web including the popular video sharing site, YouTube.

I’m back from the RSA conference and how exhausting. Understandable considering there were 17,000 people at the show—all focused on the security industry.

In case you didn’t see it, we made an announcement during RSA about our partnership with Upek, a biometrics company based in the Bay area.What I find exciting about this partnership is that it shows just how complimentary our solutions are with other authentication technologies.In a whitepaperwe published over a year ago we showed a diagram of where identity verification fits in the puzzle and how it is central to other verification tools.

Biometrics in an online environment falls into this sphere and requires a proofing solution because what good does it do to enroll someone’s fingerprints if the fingerprints aren’t those of the person he/she is claiming to be?This is why we decided to show the power of our two technologies working together through a joint demonstration.

Another observation from RSA is that there continues to be a lot of interest and discussion about age verification and social networks. If you recall, last year there was a panel session called Pandora’s Box discussing child safety and the Internet. Admittedly this year I didn’t attend the sessions as much since we were an exhibitor, but based on the questions and discussions on the show floor, it is clear people are concerned and also aware of the Internet Safety Technical Task Force.

Zach Martin, editor of CR80 News recently published an article about the identity and age verification issues we are facing in social networks.You definitely should check it out but in case you don’t have time here are some important highlights:

When trying to get into a bar or club there is typically someone at the door checking IDs. But on social networking sites there is no bouncer, which means there’s no way to tell whether you’re corresponding with a 15-year-old girl or a 32-year-old man.

It’s the same no matter where you go. MySpace, Facebook, and professional networking site LinkedIn, do little to make sure people are who they claim to be. “There is a general feeling that social networking is the wild west of identity management and a lot of bad things happen because proper controls haven’t been put in place,” says Roger K. Sullivan, president of the Liberty Alliance Project management board.

The stories range from the tame to the tragic.

A student not happy with an administrator at school creates a profile on a social networking site. Even though the student is a woman she creates a profile that is a man and then flirts with the administrator in order to cause her embarrassment later.

At a Catholic school in the Chicago suburbs, an administrator monitors the popular social sites on a regular basis just to make sure nothing out of the ordinary is happening. She has run into instances where students create accounts in other peoples’ names – people who actually exist – and then make false statements. For example, one student set up an account as a real person from another school and made statements about the student’s sexual proclivities while giving out her real phone number.

In 2006, a fake profile led to the suicide of a 13-year-old Missouri girl. A classmate’s mother originally created the profile to find out if Megan Meier was saying anything bad about her daughter. But then it was used to gain Meier’s confidence and then to tear her down. Angry messages went back and forth, and it ended with Meier hanging herself.

There’s also the need to prevent pedophiles from contacting children online. MySpace has agreed with different states’ attorney generals to adopt better technologies that will help identify underage users so they can be protected from predators, but the social networking site hasn’t figured out how it’s going to do it.

The vast majority of sites don’t do anything to try to confirm the identities of members. The sites also don’t want to absorb the cost of trying to prove the identity of their members. Also, identifying minors is almost impossible because there isn’t enough information out there to authenticate their identity.

But this may all change. As sites become more scrutinized they will have to take steps to make sure people are who they say. “There will be a trend to use a third party that leverages database information that will be able to vouch for you and provide a more certain level of identification,” says Eric Skinner, chief technology officer at Entrust, an Addison, Texas-based digital identification vendor.

There are a handful of vendors that are offering online identity vetting. Most are working with financial institutions, but they see business opportunities with the social networking sites.

The article goes on to describe some social networks and their use of identity verification including one of our clients FunkySexyCool and their use of our system.It also discusses the privacy concerns related to age verification of minors and provides a possible solution the Liberty Alliance is discussing essentially related to ID 2.0

Liberty Alliance’s Sullivan, who is also vice president of Oracle Identity Management, says it’s only a matter of time before social networking sites offer tiers of identification assurance, which could be used to confirm a minor’s identity. For example, if a 14 year old wanted to sign up on MySpace without a parents’ permission they would be placed on the lowest ID tier. “They would be put into a question mark bucket,” Sullivan says.

But if one parent went online and confirmed his child’s identity they would be raised up a tier. If both parents did it they would go up two tiers. The parents would be authenticated through public records and online databases.

Eventually there would be a fourth tier as well. A minor would physically go to atrusted source with documents that prove their age and identity. These identity assurance sources don’t exist, but it’s something the Liberty Alliance is working toward, Sullivan says.

The next task force meeting will be later this month and I’m looking forward to seeing how the conversation progresses.I firmly believe we can find several ways to combat the issues at hand including both an educational approach and technological approach.

On another note, I’m off to the RSA Conference next week. IDology has a booth this year so if you are in San Fran, stop by and see us.

The Task Force is being led by John Palfrey who is the Executive Director at the Berkman Center for Internet & Society at Harvard Law School.And among its members are organizations concerned with this issue including Non-Profits, Academics, Prominent Internet Businesses and Technology Companies, of which IDology is one of the appointed members.Other member names you will recognize are AOL, Symantec, Microsoft, Verizon, Google, Facebook, Xanga, Yahoo, WiredSafety.org and more.

“We should work together – private firms, technologists, experts from the non-profit world and leaders in government – to solve online safety issues as a joint effort.”

I couldn’t agree more with Palfrey.The task force faces a very difficult issue where there are differing opinions.I believe all of its members need to keep an open mind and a team approach if we are going to make headway in solving this problem to create a safe online environment for our children.

I look forward to having healthy, productive discussions on the issues at hand.

Customers and non-customers of a credit union recently received fraudulent emails as part of an elaborate phishing scam.It appears that the fraudster included IDology’s brand as part of their attempt to capture consumers banking information by setting up a fake website that looks similar to our corporate website.

First, I would like to emphatically say that IDology is dedicated to consumer privacy and protecting sensitive data.It’s important to understand that while our services might involve consumer interaction, we do not directly target consumers.Our “customers” are businesses.This means we would never capture personal information like a SSN or bank account information from anyone on our website.

Ironically, if the hosting provider had been using our services then we would have spotted the fraud before they could have set up the website. I am wondering how much less phishing scams would occur for financial institutions if the hosting provider required identity verification before they hosted a website.

Here are some great sites to visit to learn more about phishing scams and fake emails and how to recognize them:

Today’s press release out of North Carolina Attorney General’s Office Roy Cooper is a big deal.Here’s the first paragraph:

In a victory for social networking safety, Attorney General Roy Cooper and 49 other attorneys general today announced that MySpace has agreed to significant steps to better protect children on its web site, including creating a task force to explore and develop age and identity verification technology.

It’s been a long 2 years in this education process and the fruits of our labors are finally coming to fruition.Given MySpace’s leadership position and popularity, gaining recognition and cooperation from them will only serve to help advance identity and age verification technologies growth in the market.Here are some words that are music to my ears:

MySpace acknowledged in the agreement the important role of age and identity verification technology in social networking safety and agreed to find and develop on-line identity authentication tools.

Obviously there is still a lot of work to do but I’m glad to see that we are all going to roll up our sleeves together and do what is best for our kids – find a way to help keep them safe online.